Hack Tracker · Web2 + Web3

Credentials Are Compromised Everywhere.

Behavioral attacks aren’t a web3 problem. They’re a credentialed-actor problem.Scoprix tracks both worlds — because the attack patterns are identical.

10

Web2 incidents

10

Web3 incidents

$25B+

Total documented losses

100%

Used valid credentials

Web2 · Enterprise & Supply Chain

The Credentials Were Valid.

10 of the most damaging web2 breaches in modern history. Every one used legitimate, authorized credentials.

Total documented losses

$22B+

Web2

Target / Fazio Mechanical

November 2013 · Retail / HVAC supply chain

$200M+

Attack Vector

Vendor credential theft → lateral movement → POS malware

What Happened

A 12-person HVAC contractor (Fazio Mechanical) had network access to Target for electronic billing. Attackers phished one employee, stole valid credentials, and used them to pivot through Target’s network and exfiltrate 40 million credit cards over a 19-day window during the holiday shopping season.

How Scoprix Would Catch It

A vendor account that normally accesses an HVAC billing portal suddenly authenticated to internal POS infrastructure and moved laterally across network segments — the credential was valid, the behavior was not.

Attribution

Eastern European cybercrime group

Partially Recovered

Source: KrebsOnSecurity, US Senate Commerce Committee report

Web2

NotPetya / Maersk

June 2017 · Shipping, logistics, pharma, manufacturing

$10B+

Attack Vector

Supply chain → Ukrainian tax software (M.E.Doc) auto-update poisoned

What Happened

A poisoned auto-update from a Ukrainian tax accounting software (M.E.Doc) deployed wiper malware disguised as ransomware. Maersk alone lost ~$300M and had global shipping operations halted for weeks. Total worldwide damages exceeded $10B — the costliest cyberattack in history.

How Scoprix Would Catch It

A trusted accounting application suddenly began executing privileged operations across enterprise networks at scale — same code-signing certificate, completely anomalous runtime behavior.

Attribution

Sandworm (Russian GRU Unit 74455)

Unrecovered

Source: Wired, US/UK government attribution, Mandiant analysis

Web2

SolarWinds / Sunburst

December 2020 · IT software / US Federal Government / F500

$100M+

direct, billions cascading

Attack Vector

Build system compromise → trojanized software updates → dormant backdoor

What Happened

Russian state actors compromised SolarWinds’ build pipeline and inserted a backdoor (Sunburst) into legitimate Orion software updates. Over 18,000 organizations downloaded the trojanized update, including the US Treasury, DHS, Commerce, and Microsoft. Attackers used the foothold to access classified email systems for months.

How Scoprix Would Catch It

A network monitoring tool with valid certificates began making outbound DNS queries to never-before-contacted domains and accessing systems unrelated to its function — every credential was authorized, the behavior pattern was anomalous from day one.

Attribution

APT29 / Cozy Bear (Russian SVR)

Unrecovered

Source: FireEye/Mandiant, US Cyber Command, CISA advisories

Web2

Colonial Pipeline

May 2021 · Energy / Critical infrastructure

$4.4M

ransom + national fuel crisis

Attack Vector

Single compromised VPN credential, no MFA enabled

What Happened

Attackers used a single leaked VPN password to access the Colonial Pipeline corporate network, deployed DarkSide ransomware, and forced a 6-day shutdown of the largest fuel pipeline on the US East Coast. The shutdown caused gas shortages and panic buying across multiple states. Colonial paid a $4.4M ransom; the FBI later recovered ~$2.3M.

How Scoprix Would Catch It

A dormant VPN credential authenticated for the first time in months from an unfamiliar IP and immediately began enumerating internal systems — valid credential, zero historical behavioral baseline.

Attribution

DarkSide ransomware group

Partially Recovered

Source: Bloomberg, US DOJ, CISA

Web2

Twilio / 0ktapus Campaign

August 2022 · Cloud communications, identity, SaaS

130+

companies impacted

Attack Vector

SMS phishing → fake Okta login → MFA bypass via session token theft

What Happened

A coordinated SMS phishing campaign targeted employees at 130+ companies including Twilio, Cloudflare, MailChimp, and DoorDash. Attackers harvested credentials through fake Okta login pages and used the access to pivot into customer accounts. Twilio confirmed unauthorized access to 209 customer accounts. Signal users were affected via Twilio’s 2FA infrastructure.

How Scoprix Would Catch It

Employee credentials authenticated from new geographies within minutes of a phishing click, then immediately attempted to enumerate downstream API tokens — valid credentials, behavior pattern matched no employee baseline.

Attribution

Scattered Spider / 0ktapus (UNC3944)

Partially Recovered

Source: Group-IB, Twilio incident report, Krebs on Security

Web2

Uber / Lapsus$

September 2022 · Ride-share / mobility

Source

code + internal systems

Attack Vector

MFA fatigue attack → social engineering → hardcoded admin credentials

What Happened

An 18-year-old attacker bombarded an Uber contractor with MFA push notifications, then social-engineered them via WhatsApp claiming to be Uber IT. Once inside the VPN, the attacker found hardcoded admin credentials in a PowerShell script and pivoted to AWS, GSuite, Slack, and HackerOne — effectively owning the entire company.

How Scoprix Would Catch It

A contractor account approved a 6th MFA prompt after rejecting 5, then immediately accessed admin scripts and AWS consoles it had never touched — the credentials were valid, the action sequence was wildly off-baseline.

Attribution

Lapsus$ (teen-led extortion group)

Partially Recovered

Source: Uber security blog, NYT, Bloomberg

Web2

LastPass

August 2022 – January 2023 · Password management / SaaS

Customer

vault breach

Attack Vector

DevOps engineer’s home computer → keylogger → master vault access

What Happened

A multi-stage breach: attackers first stole source code in August 2022, then in a second incident exploited a vulnerability in a media player on a senior DevOps engineer’s home computer to install a keylogger. They captured the engineer’s LastPass master password and exfiltrated the encrypted customer vault backups, including encrypted password vaults of all customers.

How Scoprix Would Catch It

A senior engineer’s production AWS credentials authenticated from a residential IP at unusual hours and downloaded encrypted vault backups in volumes far exceeding their normal access patterns.

Attribution

Unknown (sophisticated, persistent)

Unrecovered

Source: LastPass disclosure, Wired, security researcher analysis

Web2

MOVEit / Cl0p

May–June 2023 · Cross-industry (Maximus, Shell, BBC, BA, US gov)

$9.9B+

across 2,700+ victims

Attack Vector

Zero-day SQL injection in trusted file transfer software

What Happened

Cl0p exploited a zero-day SQL injection vulnerability (CVE-2023-34362) in Progress Software’s MOVEit Transfer — a trusted enterprise file transfer tool used by thousands of organizations. They exfiltrated data from 2,700+ companies including the US Department of Energy, Shell, British Airways, the BBC, and the Oregon DMV. Total impact: $9.9B+ in damages.

How Scoprix Would Catch It

A trusted file transfer service began executing database commands and exfiltrating large volumes of customer data outside its normal usage patterns — every API call was technically authorized, the behavior was wildly anomalous.

Attribution

Cl0p ransomware group (TA505)

Unrecovered

Source: Cybersecurity & Infrastructure Security Agency (CISA), Mandiant, Coveware

Web2

MGM Resorts

September 2023 · Hospitality / casinos / entertainment

$100M+

Attack Vector

Social engineering of IT helpdesk → password reset → ransomware

What Happened

Attackers found an MGM employee on LinkedIn, called the IT helpdesk pretending to be them, and convinced support staff to reset MFA. Within hours they had domain admin access and deployed ALPHV ransomware. MGM’s casino floors, hotel keycards, slot machines, and reservation systems went dark for 10+ days. Loss: ~$100M plus reputational damage.

How Scoprix Would Catch It

A help desk reset MFA for a high-privilege account based on a phone request, and the account immediately authenticated from an unfamiliar device and began enumerating Active Directory — valid credentials, behavior matched no baseline.

Attribution

Scattered Spider (UNC3944) + ALPHV/BlackCat

Partially Recovered

Source: MGM 8-K SEC filing, Reuters, Bloomberg

Web2

Change Healthcare / UnitedHealth

February 2024 · Healthcare / payment processing

$2.4B+

impact, $22M ransom

Attack Vector

Citrix portal with no MFA → lateral movement → ransomware + data theft

What Happened

Attackers used compromised credentials to access a Citrix remote portal that lacked multi-factor authentication, then spent 9 days inside Change Healthcare’s network before deploying ransomware. The attack disrupted prescription processing, claims, and payments for thousands of US healthcare providers for weeks. UnitedHealth paid a $22M ransom; total impact exceeded $2.4B.

How Scoprix Would Catch It

A standard user account authenticated through Citrix from an unfamiliar IP and immediately accessed systems outside its normal job function for 9 consecutive days — every credential was valid, no behavioral baseline alarm fired.

Attribution

ALPHV/BlackCat ransomware affiliate

Unrecovered

Source: UnitedHealth disclosure, US Senate testimony, HIPAA Journal

Sources: Krebs on Security, Mandiant, CISA, FBI IC3, FireEye, US Senate Commerce Committee, victim 8-K filings, Reuters, Bloomberg, Wired, NYT. All incidents verified against multiple public sources.

↓ Web3 Incidents Below ↓

Drift Protocol

$285M stolen|April 1, 2026|Solana
Active Investigation
Attribution: UNC4736 / AppleJeus (DPRK state-affiliated)
Attack Vector: Social engineering → device compromise → multisig key extraction

Summary

A 6-month intelligence operation by North Korean state actors. Attackers posed as a quantitative trading firm, met Drift contributors in person at multiple conferences, deposited $1M of their own capital, then compromised contributor devices via poisoned code repositories and a VSCode/Cursor IDE vulnerability. Same group behind Radiant Capital hack.

Attack Timeline

Fall 2025
Initial Contact
DPRK actors approach Drift contributors at a major crypto conference, posing as a quant trading firm
Oct-Nov 2025
Relationship Building
Multiple in-person meetings at conferences across countries. Telegram group established.
Dec 2025
Integration Begins
Attackers onboard an Ecosystem Vault on Drift, deposit $1M of their own capital
Jan 2026
Working Sessions
Detailed product discussions, vault strategy conversations — building deep trust
Feb-Mar 2026
Device Compromise
Poisoned code repository shared. VSCode/Cursor vulnerability silently executes code on contributor devices.
Mar 24, 2026
Staging Wallet Created
Attacker wallet created 8 days before the attack — initial test transfers
Apr 1, 2026
Exploit Executed
Compromised multisig keys used to drain vault. $285M stolen — TVL collapsed from ~$550M to under $250M in 12 minutes.
Apr 1, 2026
Evidence Scrubbed
Telegram chats and malicious software deleted immediately after exploit
Apr 4, 2026
Public Disclosure
Drift publishes full incident background. Mandiant engaged for investigation.

Fund Flow

Drift Vault
$285M
Attacker Wallet
Compromised Multisig
Apr 1, 12:00 UTC
Attacker Wallet
$150M
Staging Wallet 1
Direct Transfer
Apr 1, 12:05 UTC
Attacker Wallet
$120M
Staging Wallet 2
Direct Transfer
Apr 1, 12:08 UTC
Staging Wallet 1
$150M
Bridge (SOL→ETH)
Cross-chain Bridge
Apr 1, 12:30 UTC
Staging Wallet 2
$120M
DEX Swaps
Multiple DEX Swaps
Apr 1, 13:00 UTC
Bridge Exit (ETH)
$80M
Tornado Cash
Mixer Deposit
Apr 2, 02:00 UTC
Bridge Exit (ETH)
$70M
Exchange Deposits
Exchange Deposit
Apr 2, 06:00 UTC

Tracked Wallets

0x7a3b...f291CRITICAL
attackerSolana
Primary Attacker
2026-03-24Investigation active — address pending public disclosure
0x9c4d...a813CRITICAL
stagingSolana
Staging Wallet
2026-03-20Investigation active — address pending public disclosure
0xmix1...tc01CRITICAL
mixerEthereum
Tornado Cash Deposit
2026-04-02Mixer entry point — funds obscured
0xdead...0001HIGH
bridgeEthereum
Bridge Intermediary
2026-04-01Cross-chain transfer SOL → ETH
0xexch...bnb1HIGH
exchangeBSC
Exchange Deposit (Flagged)
2026-04-03Flagged by exchange compliance team

How Scoprix Would Have Prevented This

Multiple layers would have caught this at different stages. Layer 1: the $285M drain far exceeds policy limits — blocked before execution. Layer 2: the attackers manufactured a fake token (CVT) as collateral — our interaction monitoring would flag the new, unverified contract. The sudden shift from 6 months of normal trading to massive withdrawals triggers value analysis and temporal pattern detection simultaneously. Layer 3: the social engineering language in transaction descriptions ("emergency", "consolidation") is caught by dual-AI consensus. Even with compromised keys, the attacker would have been stopped at the first abnormal action — not the last.

Related Incidents